Misuse and Anomaly Detection Sampath Kannan Wenke Lee Insup Lee Diana Spears Oleg Sokolsky William Spears Linda Zhao.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
Intrusion Detection System(IDS) Overview Manglers Gopal Paliwal Gopal Paliwal Roshni Zawar Roshni Zawar SenthilRaja Velu SenthilRaja Velu Sreevathsa Sathyanarayana.
Inferring Mixtures of Markov Chains Tuğkan BatuSudipto GuhaSampath Kannan University of Pennsylvania.
SSP Re-hosting System Development: CLBM Overview and Module Recognition SSP Team Department of ECE Stevens Institute of Technology Presented by Hongbing.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.
1 Intrusion Detection CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 4, 2004.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
School of Computer Science and Information Systems
seminar on Intrusion detection system
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
5/24/011 Advanced Tool Integration for Embedded Systems Assurance Insup Lee Department of Computer and Information Science University of Pennsylvania.
Lecture 11 Intrusion Detection (cont)
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
WAC/ISSCI Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.
Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )
Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.
Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.
IIT Indore © Neminah Hubballi
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 6 03/22/2010 Security and Privacy in Cloud Computing.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
A Data Mining Approach for Building Cost-Sensitive and Light Intrusion Detection Models PI Meeting - July, 2000 North Carolina State University Columbia.
Clay Brockman ITK 478 Fall Why intrusion detection? Comparing two types: Monitoring Database Application Behavior Using Time Signatures.
23-aug-05Intrusion detection system1. 23-aug-05Intrusion detection system2 Overview of intrusion detection system What is intrusion? What is intrusion.
Grant Pannell. Intrusion Detection Systems  Attempt to detect unauthorized activity  CIA – Confidentiality, Integrity, Availability  Commonly network-based.
Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology Motivation Experimental Setup in ProtoGENI Conclusions and Future Work.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
K. J. O’Hara AMRS: Behavior Recognition and Opponent Modeling Oct Behavior Recognition and Opponent Modeling in Autonomous Multi-Robot Systems.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
Kittiphan Techakittiroj (25/10/58 12:06 น. 25/10/58 12:06 น. 25/10/58 12:06 น.) Intrusion Detection System Kittiphan Techakittiroj
Deeply Embedded Large Scale Networks Specify and Control Emerging Behavior.
1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Copyright © 2012, SAS Institute Inc. All rights reserved. ANALYTICS IN BIG DATA ERA ANALYTICS TECHNOLOGY AND ARCHITECTURE TO MANAGE VELOCITY AND VARIETY,
1 COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Cognitive Security: Security Analytics and Autonomics for Virtualized Networks Lalita Jagadeesan.
7.5 Intrusion Detection Systems Network Security / G.Steffen1.
Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.
Approximate Inference: Decomposition Methods with Applications to Computer Vision Kyomin Jung ( KAIST ) Joint work with Pushmeet Kohli (Microsoft Research)
Unsupervised Mining of Statistical Temporal Structures in Video Liu ze yuan May 15,2011.
1 Intrusion Detection “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”
Intrusion Detection System
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
Scientific Systems Not for Public Release SSCI #1301 DARPA OASIS PI MEETING – Santa Fe, NM - Jul 24-27, 2001 Intelligent Active Profiling for Detection.
WHAT IS DATA MINING?  The process of automatically extracting useful information from large amounts of data.  Uses traditional data analysis techniques.
Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Some Great Open Source Intrusion Detection Systems (IDSs)
IDS Intrusion Detection Systems
Security Methods and Practice CET4884
Open Problems in Streaming
ONR MURI area: High Confidence Real-Time Misuse and Anomaly Detection
Authors Bo Sun, Fei Yu, Kui Wu, Yang Xiao, and Victor C. M. Leung.
Statistical based IDS background introduction
Presentation transcript:

Misuse and Anomaly Detection Sampath Kannan Wenke Lee Insup Lee Diana Spears Oleg Sokolsky William Spears Linda Zhao

Network Intrusion Detection Systems (NIDS) oImportant defense to protect sensitive information and resources on the network. oUsually have the following functionalities. o Observe traffic and extract features o Pattern match with database of “attack signatures” to detect misuse (intrusion) oObserve statistical properties and check against specifications of correct behavior to detect anomalies

Shortcomings of Current NIDS oNew attack strategies arise constantly and attack signature databases become obsolete rapidly. oVolume and interleaving of traffic at backbone of network makes complex signature recognition infeasible.

Shortcomings cont’d o Anomaly detection algorithms are primitive. We want more scalable yet more sophisticated techniques. o Want to reduce the number of false positives in anomaly detection to make it useful.

Our Approach oUse Machine Learning, Data Mining, and Case-Based Reasoning techniques to learn new intruder models on the fly. oBuild a taxonomy of possible anomalies; extract relevant features; use statistical and machine learning techniques to reduce false-alarm rate.

Our Approach – Cont’d oApply sophisticated algorithms designed in the resource-constrained data stream model to NIDS. oIntegrate all of these modules into a MaC- based system architecture.

Existing Infrastructure oMonitoring and Checking (MaC) architecture for run-time monitoring oUser specified instrumentation of running programs to extract important state changes. (Primitive Event Definition Language (PEDL)). oUser specified conversion of these low-level events to abstract events relevant to properties (MEDL). oChecker for processing abstract event stream to monitor correctness.

Existing Infrastructure – Cont’d oAn experimental test-bed to test performance of Intrusion and Anomaly Detection Systems. o Enhancement of a similar set-up from MIT Lincoln Labs from the 90’s. o Models hacker profiles and taxonomy of attacks and generates “realistic” normal and attack traffic. o Metrics for evaluating potency of attacks.

Using MaC for NIDS oNeed multiple Primitive Event Definition Languages (PEDLs) to model different algorithmic techniques for extracting abstract events. oNeed dynamically changeable properties as machine learning approaches discover new attack signatures. oNeed integration module that combines the results of various modules.

Inferring Mixtures of Markov Chains Batu, Guha, Kannan A theoretical result...

An example oNetwork traffic log … each party behaves like a Markov Chain oSome parties are malicious oCan you tease out the malicious chains from a single common log?

Another Example: Browsing habits oYou read sports and cartoons. You’re equally likely to read both. You do not remember what you read last. oYou’d expect a “random” sequence SCSSCSSCSSCCSCCCSSSSCSC…

Suppose there are two oI like health, entertainment, and fashion oI always read entertainment first, health next and fashion last oThe sequence would be EHFEHFEHFEHFEHFEHFEHF…

Two readers, one log file oIf there is one log file… oAssume there is no correlation between us SECHSSFECSHFESCSSHCFCESCHCCFSESHFESSHFE… Is there enough information to tell that there are two people browsing? What are they browsing? How are they browsing?

Clues in stream? oYes! (under model assumptions). oH, E, F have special relationship. oThey cannot belong to different (uncorrelated) people. oNot clear about S and C... Could be 3 uncorrelated persons. SECHSSFECSHFESCSSHCFCESCHCCFSESHFESSHFE…

Markov Chains as Stochastic Sources Output sequence:

Markov chains on S,E,C,H,F S C 1/2 Modeled by … H 1 E F 1 1

Problem Statement (informal) oTwo or more probabilistic processes oWe are observing interleaved behavior oWe do not know which state belongs to which process – cold start.

The Problem MC1 MC Observe Infer: MC1, MC2, & mixing parameters

For our problem we assume: Stream is polynomially long in the number of states of each Markov chain (need perhaps long stream). C : maximum cover time Q : upper bound on the denominator of any probability Nonzero probabilities are bounded away from 0. Space available is some small polynomial in #states. Under these assumptions, we can identify individual chains if their state spaces are disjoint.

Research Directions oMany exciting directions oOur research team has expertise in network security, machine learning, AI, real-time systems, and algorithm design oWe expect interesting synergies between these strengths.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.